Warning: Actively Exploited Vulnerabilities in Cisco Adaptive Security Appliance and Firepower Threat Defense Software. Patch Immediately!
- CVE-2024-20353: 8.6 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
- CVE-2024-20358: 6.0 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)
- CVE-2024-20359: 6.0 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)
Sources
Cisco Systems Inc.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-cmd-inj-ZJV8Wysm
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h
NIST
https://nvd.nist.gov/vuln/detail/CVE-2024-20353
https://nvd.nist.gov/vuln/detail/CVE-2024-20358
https://nvd.nist.gov/vuln/detail/CVE-2024-20359
Risks
On April 24, 2024, Cisco Systems Inc. published information about three vulnerabilities in their Cisco Adaptive Security Appliance and Firepower Threat Defense Software (CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359). At the same time, the company released patches for the affected software.
Two of the vulnerabilities, CVE-2024-20353 and CVE-2024-20359, are confirmed by Cisco Systems Inc. to have been exploited in the wild. A separate blog post by Cisco Talos further details the exploits that would be linked to a campaign - dubbed "ArcaneDoor" - by a new and presumably state-sponsored actor ("UAT4356" aka "STORM-1849") with a clear focus on espionage.
CVE-2024-20353, the vulnerability with the highest CVSS score of 8.6, allows an unauthenticated remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition and a high impact on availability. Cisco Talos reported abuse of this forced reboot to install a persistent backdoor. In addition the reboot causes a loss of forensic evidence in case of compromise.
Exploit of CVE-2024-20358 and CVE-2024-20359 - both 6.0 MEDIUM - could have a high impact on confidentiality and integrity.
Description
CVE-2024-20353 is caused by incomplete error checking when parsing an HTTP header. An attacker sending a crafted HTTP request to a web server on a vulnerable device could cause a denial of service (DoS).
CVE-2024-20358 exists because of improper sanitisation of backup file content at restore time. An attacker could exploit the vulnerability locally by restoring a crafted backup file to an affected device which would allow the execution of arbitrary commands on the underlying Linux operating system as root.
CVE-2024-20359 exists because of improper validation of a file when it is read from system flash memory. An attacker could exploit the vulnerability locally by copying a crafted file to the disk0: file system of an affected device which would allow the attacker to execute arbitrary code on the affected device after the next reload of the device. The injected code could persist across reboots.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organisations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
- Any gaps in logging or any recent unexpected reboots of these appliances should be treated as suspicious activity that warrants further investigation.
- The CCCS cyber security advisory provides a listing of Cisco ASA alert codes to review for potential malicious activity.
- The articles linked in the reference section provide additional Indicators of Compromise (IoCs).
- The Cisco Talos report provides additional guidance when performing Cisco ASA Forensic Investigation.
- It is advised to check for the presence of Line Dancer prior to checking for the presence of Line Runner, as a device reboot will remove traces of Line Dancer.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns